Skip to content

/ node

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Opener 1.5.1 to Opener 1.5.2 #36445

Closed
armiasaied opened this issue Dec 8, 2020 · 8 comments
Closed

Update Opener 1.5.1 to Opener 1.5.2 #36445

armiasaied opened this issue Dec 8, 2020 · 8 comments
Labels
npm

Comments

@armiasaied
Copy link

@armiasaied armiasaied commented Dec 8, 2020

Is your feature request related to a problem? Please describe.
Opener 1.5.1 is vulnerable to code injection attacks
domenic/opener#34

Describe the solution you'd like
Update Opener 1.5.1 to Opener 1.5.2

Describe alternatives you've considered
Please describe alternative solutions or features you have considered.
@benjamingr
Copy link
Member

@benjamingr benjamingr commented Dec 9, 2020

The only place I see opener in the Node codebase is NPM and that's already 1.5.2 I believe?

Mind pointing me to what you mean?
@armiasaied
Copy link
Author

@armiasaied armiasaied commented Dec 9, 2020
edited

Hi @benjamingr, in a private instance of Sonatype the scan shows that it's located at node-v14.15.1-win-x64.zip/node-v14.15.1-win-x64/node_modules/npm/node_modules/opener/lib

It's for Node LTS 14.15.1
https://github.com/nodejs/node/blob/v14.x/deps/npm/node_modules/opener/package.json

My apologies, I didn't mention that.
@richardlau
Copy link
Member

@richardlau richardlau commented Dec 9, 2020

Doesn't look like the most recent npm 6 release (#36450) contains the updated version of opener.
cc @nodejs/npm
@richardlau richardlau added the npm label Dec 9, 2020
@MylesBorins
Copy link
Member

@MylesBorins MylesBorins commented Dec 9, 2020

pinged the team to discuss
@armiasaied
Copy link
Author

@armiasaied armiasaied commented Dec 17, 2020

pinged the team to discuss

Hi @MylesBorins any updates ?

14.15.2 was released and it has opener 1.5.1, do you know when this request can be progressed ?
@MylesBorins
Copy link
Member

@MylesBorins MylesBorins commented Dec 17, 2020

@armiasaied we are working on getting an npm 6 release out ASAP and I'll get that backported to all appropriate release lines and discuss with the release team about a timeline to include it. Hopefully we can get this out relateively quickly in the new year
@darcyclarke darcyclarke mentioned this issue Dec 18, 2020
Merged
@ruyadorno ruyadorno mentioned this issue Dec 18, 2020
Closed
richardlau added a commit that referenced this issue Dec 23, 2020
@ruyadorno @richardlau
deps: upgrade npm to 6.14.10
Verified
This commit was signed with a verified signature.
richardlau Richard Lau
GPG key ID: C43CEC45C17AB93C Learn about signing commits
Loading status checks…
305c0f4 
PR-URL: #36571
Fixes: #36445
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
richardlau added a commit that referenced this issue Dec 23, 2020
@ruyadorno @richardlau
deps: upgrade npm to 6.14.10
Verified
This commit was signed with a verified signature.
richardlau Richard Lau
GPG key ID: C43CEC45C17AB93C Learn about signing commits
Loading status checks…
2eacfbe 
PR-URL: #36571
Fixes: #36445
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
richardlau added a commit that referenced this issue Dec 23, 2020
@ruyadorno @richardlau
deps: upgrade npm to 6.14.10
Verified
This commit was signed with a verified signature.
richardlau Richard Lau
GPG key ID: C43CEC45C17AB93C Learn about signing commits
f08d0fe 
PR-URL: #36571
Fixes: #36445
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
@targos
Copy link
Member

@targos targos commented Dec 28, 2020

The fix landed and will be in the next releases of v14/v12/v10
@targos targos closed this Dec 28, 2020
@armiasaied
Copy link
Author

@armiasaied armiasaied commented Dec 28, 2020

Thank you All ☺️
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
npm
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@MylesBorins @benjamingr @armiasaied @targos @richardlau
You can’t perform that action at this time.